b"          Office of Audits\n          Office of Inspector General\n          U.S. General Services Administration\n\n\n\n\n           Audit of GSA\xe2\x80\x99s Mobile\n           Computing Initiatives\n           Report Number A130016/O/F/F13003\n           September 10, 2013\n\n\n\n\nA130016/O/F/F13003\n\x0c                             Office of Audits\n                             Office of Inspector General\n                             U.S. General Services Administration\n\n\n                                                 REPORT ABSTRACT\nOBJECTIVE                               Audit of GSA\xe2\x80\x99s Mobile Computing Initiatives\nThe objective of this audit was to      Report Number A130016/O/F/F13003\ndetermine whether the General           September 10, 2013\nServices Administration\xe2\x80\x99s (GSA)\nimplementation of initiatives for\nmobile devices and mobile               WHAT WE FOUND\napplications was consistent with its\ninformation technology (IT)             We identified the following during our audit:\nstrategic goal for access to GSA\nsystems from Any Location,              Finding 1 \xe2\x80\x93 GSA lacks comprehensive standards for mobile application security,\nAnytime, and Any Device (A3) and        privacy, and development, increasing risk to deployed mobile applications.\nthe White House\xe2\x80\x99s Digital\nGovernment Strategy. Specifically,      Finding 2 \xe2\x80\x93 GSA OCIO guidance on mobile device acquisition does not sufficiently\nthis audit focused on the following:    address risks associated with brand name specifications and could result in\n\xef\x82\xb7    Did the GSA Office of the          excessive expenditures and contractor protests to awards.\n     Chief Information Officer\n                                        Finding 3 \xe2\x80\x93 GSA\xe2\x80\x99s mobile device assessment process was not documented, which\n     (OCIO) fulfill its milestone\n     actions related to mobile          could result in knowledge loss due to personnel disruptions.\n     devices and mobile\n     applications under the White\n     House's Digital Government         WHAT WE RECOMMEND\n     Strategy?\n\xef\x82\xb7    Did the GSA Chief Information      Based on our audit findings we recommend the GSA CIO:\n     Officer\xe2\x80\x99s (CIO) policies and       1. Develop comprehensive standards for mobile applications including:\n     procedures for mobile                     a. Security standards to address the following risks:\n     computing sufficiently address                       i. Exploitation of vulnerabilities due to poor programming practices\n     security and privacy controls                       ii. Compromise of sensitive application data\n     for mobile devices and mobile                      iii. Not completing security assessment and authorization\n     applications, include sufficient\n                                                             requirements\n     GSA user training, and include\n     approval of mobile application\n                                               b. Privacy standards to include directions on creating and distributing\n     terms of service?                              privacy notices.\n\xef\x82\xb7 Were GSA\xe2\x80\x99s services and staff                c. Development standards to identify mobile platforms to target for publicly\n     offices adhering to GSA OCIO                   available applications.\n     guidance on mobile                 2. Ensure that currently deployed mobile applications meet the updated standards.\n     computing?                         3. Issue guidance and/or training related to tablet device acquisition to remind\n                                           acquisition personnel about requirements for brand name specifications.\n                                        4. Formally document the process for reviewing mobile devices.\n\n                                        MANAGEMENT COMMENTS\nFinance & Information\nTechnology Audit Office                 Management agreed with our findings and recommendations. The GSA CIO\xe2\x80\x99s\n1800 F Street, NW, Suite 5215           complete response is presented in Appendix B.\nWashington DC 20405\n202-273-7322\n\n\n\n\n        A130016/O/F/F13003                                    i\n\x0c                   Office of Audits\n                   Office of Inspector General\n                   U.S. General Services Administration\n\n  DATE:            September 10, 2013\n  TO:              Casey Coleman\n                   Chief Information Officer (I)\n\n  FROM:            Donna Peterson-Jones\n                   Audit Manager, (JA-F)\n  SUBJECT:         Audit of GSA\xe2\x80\x99s Mobile Computing Initiatives\n                   A130016/O/F/F13003\n\n This report presents the results of our audit of GSA\xe2\x80\x99s Mobile Computing Initiatives. Our\n findings and recommendations are summarized in the Report Abstract. Instructions\n regarding the audit resolution process can be found in the email that transmitted this\n report.\n\n Your written comments to the draft report are included in Appendix B of this report.\n\n If you have any questions regarding this report, please contact me or any member of\n the audit team at the following:\n\nDonna Peterson-Jones     Audit Manager             donna.peterson@gsaig.gov       202-273-7334\nTerry Williams           Auditor-In-Charge         terry.williams@gsaig.gov       202-273-7329\nDominique Lipscomb       Management Analyst        dominique.lipscomb@gsaig.gov   202-273-7322\nDamian Pryor             Management Analyst        damian.pryor@gsaig.gov         202-273-7322\nSteven Swantek           Auditor                   steven.swantek@gsaig.gov       202-273-7322\n\n On behalf of the audit team, I would like to thank you and your staff for your assistance\n during this audit.\n\n\n\n\n A130016/O/F/F13003                       ii\n\x0cTable of Contents\n\nIntroduction ....................................................................................................... 1\n\n\nResults\nFinding 1 \xe2\x80\x93 GSA lacks comprehensive standards for mobile application security,\n           privacy, and development, increasing risk to deployed mobile\n           applications ....................................................................................... 3\nFinding 2 \xe2\x80\x93 GSA OCIO guidance on mobile device acquisition does not\n          sufficiently address risks associated with brand name specifications\n          and could result in excessive expenditures and contractor protests to\n          awards .............................................................................................. 4\nFinding 3 \xe2\x80\x93 GSA\xe2\x80\x99s mobile device assessment process was not documented,\n           which could result in knowledge loss due to personnel disruptions......... 5\nRecommendations. .............................................................................................. 5\nManagement Comments ...................................................................................... 5\n\n\nConclusion ........................................................................................................ 6\n\n\nAppendixes\nAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology .......................................... A-1\nAppendix B \xe2\x80\x93 Management Comments .......................................................... B-1\nAppendix C \xe2\x80\x93 Report Distribution .................................................................. C-1\n\n\n\n\n    A130016/O/F/F13003                                      iii\n\x0cIntroduction\nOne of the General Services Administration\xe2\x80\x99s (GSA) information technology (IT)\nstrategic goals is to provide access to GSA systems from Any Location, Anytime, and\nAny Device (A3). 1 The A3 goal has two initiatives relating to mobile devices and mobile\napplications. One initiative seeks to provide the GSA workforce with secure access to\nGSA's IT resources and systems regardless of how, where, or when they are working.\nThe second seeks to transform enterprise and legacy applications using modern\ntechnologies (e.g. middleware, web, and mobile computing), architecture, and\nframeworks to enable access from any device, anywhere, and at anytime.\n\nSpecific GSA actions associated with A3 include procuring and connecting mobile\ndevices to GSA systems, optimizing existing web sites for mobile use, and developing\nmobile applications for its legacy systems. GSA has implemented a mobile device\nmanagement platform to assist in controlling access to enterprise resources, such as\nemail and virtual desktop connections. At the time of our audit, GSA had developed\nfour mobile applications for legacy web sites that were publicly available on the Apple or\nGoogle Play mobile application stores. In addition, GSA was in the process of\ndeveloping other mobile applications for internal use.\n\nOn August 2, 2011, GSA decentralized the acquisition of mobile devices. At that time,\nthe GSA Chief Information Officer (CIO) issued an instructional letter to the Heads of\nServices and Staff Offices and Regional Administrators delegating responsibility for the\nacquisition of tablet devices to the services and staff offices. 2\n\nOn May 23, 2012, the White House launched the Digital Government Strategy to\ncoordinate efforts and focus on taking an information- and customer-centric approach to\nchanging how the government works and delivers services. 3 Digital Government\nStrategy milestone actions include a requirement that agencies improve priority,\ncustomer-facing services for mobile use.\n\nThe objective of this audit was to determine whether GSA\xe2\x80\x99s implementation of initiatives\nfor mobile devices and mobile applications was consistent with its IT strategic goal for\naccess to GSA systems from A3 and the White House\xe2\x80\x99s Digital Government Strategy.\nSpecifically, this audit focused on the following:\n\n    \xef\x82\xb7   Did the GSA Office of the Chief Information Officer (OCIO) fulfill its milestone\n        actions related to mobile devices and mobile applications under the White\n        House's Digital Government Strategy?\n\n\n\n1\n  GSA FY12\xe2\x80\x9315 Information Technology Strategic Business Plan,\nhttp://www.gsa.gov/graphics/staffoffices/itstrategicplan2012.pdf.\n2\n  GSA CIO IL-11-01, Smart Phone and Tablet Device Acquisition and Support Policy, August 2, 2011.\n3\n  Digital Government: Building a 21st Century Platform to Better Serve the American People,\nhttp://www.whitehouse.gov/sites/default/files/omb/egov/digital-government/digital-government.html.\n\n\nA130016/O/F/F13003                            1\n\x0c   \xef\x82\xb7   Did the GSA CIO policies and procedures for mobile computing sufficiently\n       address security and privacy controls for mobile devices and mobile applications,\n       include sufficient GSA user training, and include approval of mobile application\n       terms of service?\n   \xef\x82\xb7   Were GSA\xe2\x80\x99s services and staff offices adhering to GSA OCIO guidance on\n       mobile computing?\n\nSee Appendix A \xe2\x80\x93 Purpose, Scope, and Methodology for additional details.\n\n\n\n\nA130016/O/F/F13003                      2\n\x0cResults\nFinding 1 \xe2\x80\x93 GSA lacks comprehensive standards for mobile application security,\nprivacy, and development, increasing risk to deployed mobile applications.\n\nGSA has released mobile applications that were not assessed for mobile security risks,\nlacked privacy notices, and/or inconsistently targeted mobile platforms. This resulted\nfrom GSA not comprehensively addressing security, privacy, and development risks in\nstandards relating to mobile applications.\n\nStandards for security of mobile applications\nWhile GSA requires all applications to undergo GSA\xe2\x80\x99s security assessment and\nauthorization process in accordance with the Federal Information Security Management\nAct of 2002 (FISMA4), none of the released mobile applications underwent required\nsecurity assessments and authorizations. Developers of these mobile applications did\nnot deem this requirement to be applicable prior to release to the Apple or Google Play\nmobile application stores. However, not completing these required activities reduces\nthe assurance that security requirements for systems are being implemented correctly,\noperating as intended, and producing the desired outcome.\n\nGSA developed and released four mobile applications. After the release, GSA OCIO\nestablished procedures specifying the required evaluations for mobile applications (both\nGSA developed and commercially developed) using the National Institute of Standards\nand Technologies (NIST) Special Publication (SP) 800-53 controls. 5 However, we\ndetermined that these controls did not comprehensively address mobile security risks.\nThe risks identified in the Open Web Application Security Project (OWASP) Mobile\nSecurity Project included weak server side controls, insecure data storage, and\ninsufficient transport layer protections. 6 Exploitation of these risks could affect the\nconfidentiality, integrity, or availability of deployed mobile applications. In addition, our\nevaluation of the four GSA developed mobile applications found that none were\nassessed for these mobile-specific risks.\n\nStandards for privacy of mobile applications\nPrivacy information that could be captured from a mobile application includes device\nidentifications, location, camera and/or photos, Internet Protocol (IP) addresses, and\ncontacts. A privacy notice helps ensure that the public has notice and choice about,\nand thus confidence in, how their personal information is handled when they use the\nmobile applications. Best practices identified in a Federal Trade Commission report\n\n4\n  FISMA requires agencies to develop and maintain minimum controls required to protect federal\ninformation and information systems.\n5\n  NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations,\nRev. 3, August 2009.\n6\n  OWASP is a not-for-profit organization focused on improving the security of software. The OWASP\nMobile Security Project is a centralized resource intended to give developers and security teams the\nresources they need to build and maintain secure mobile applications. See\nhttps://www.owasp.org/index.php/OWASP_Mobile_Security_Project.\n\n\nA130016/O/F/F13003                            3\n\x0crecommended that mobile application developers ensure that their privacy notice is\neasily accessible through the app stores. 7 However, GSA has not developed privacy\nstandards for mobile applications to ensure that publicly available applications include\nprivacy notices. Our evaluation of GSA\xe2\x80\x99s mobile applications found that none had\nprivacy notices specific to data usage captured from the use of mobile applications.\nThe lack of privacy notices could reduce the public\xe2\x80\x99s confidence that GSA will\nappropriately use their information.\n\nStandards for development of mobile applications\nAccording to GSA\xe2\x80\x99s System Development Life Cycle Policy, 8 the GSA CIO assumes\nresponsibility for assuring that IT is well governed in GSA, including establishing and\nmaintaining local system development life cycle processes, practices, standards, and\ngovernance. However, GSA\xe2\x80\x99s development standards have not been updated to\nidentify target platforms for mobile applications developed for the public (e.g., Android or\nApple iOS). As a result, GSA\xe2\x80\x99s approach to targeting platforms has been inconsistent.\nIn fact, one GSA staff office developed one mobile application only for Android, and\ndeveloped another mobile application only for Apple\xe2\x80\x99s iOS. Since the purpose of these\nmobile applications is to reach the public, inconsistent targeting of platforms limits\nGSA\xe2\x80\x99s audience.\n\nFinding 2 \xe2\x80\x93 GSA OCIO guidance on mobile device acquisition does not\nsufficiently address risks associated with brand name specifications and could\nresult in excessive expenditures and contractor protests to awards.\n\nWe identified two acquisitions for 19 iPads and accessories totaling $14,775.34 that\nwere made using brand name specifications. The Federal Acquisition Regulation (FAR)\n11.104-11.105 prohibits the use of brand name specifications except under very limited\ncircumstances. 9 We believe the improper specification of brand names is of particular\nconcern in tablet device acquisitions because preferences derived from personal\nexperiences tend to be particularly strong when it comes to mobile devices. 10 However,\nGSA Instructional Letter CIO IL-11-01 Smart Phone and Tablet Device Acquisition and\nSupport Policy does not provide guidance related to brand name specification\nrequirements for tablet device acquisitions.        The agency\xe2\x80\x99s use of brand name\nspecifications could result in excessive expenditures in tablet device acquisitions due to\nthe lack of full and open competition and could increase the risk of contractor protests to\nagency contract awards.\n\n\n\n\n7\n  Mobile Privacy Disclosures, Building Trust Through Transparency , February 2013,\nhttp://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf.\n8\n  GSA Order CIO 2140.3, CIO Systems Development Life Cycle (SDLC) Policy, September 29, 2006.\n9\n  For the purposes of this audit, a brand name specification is defined as a description that specifies a\nparticular brand name, product, or product feature that is peculiar to one manufacturer. (FAR 11.105)\n10\n   According to Pew Research Center\xe2\x80\x99s Project for Excellence in Journalism, mobile device operating\nsystem loyalty is exhibited among those that have both a tablet computer and a smartphone. See\nhttp://www.journalism.org/analysis_report/device_ownership.\n\n\nA130016/O/F/F13003                             4\n\x0cFinding 3 \xe2\x80\x93 GSA\xe2\x80\x99s mobile device assessment process was not documented,\nwhich could result in knowledge loss due to personnel disruptions.\n\nAccording to Office of Management and Budget Circular A-123, management needs to\nensure that appropriate policies, procedures, and mechanisms exist with respect to\neach of the agency\xe2\x80\x99s activities. However, the security assessment for GSA\xe2\x80\x99s mobile\ndevices has not been documented. The Office of the Senior Agency Information\nSecurity Officer (OSAISO) has one staff member reviewing mobile devices for GSA\nemployees prior to approval for access to GSA internal systems. Since the process is\nnot documented, if GSA loses the employee, it will no longer have knowledge of the\nprocess or of the requirements. 11\n\nRecommendations\n\nBased on our audit findings we recommend the GSA Chief Information Officer:\n\n     1. Develop comprehensive standards for mobile applications including:\n           a. Security standards to address the following risks:\n                   i. Exploitation of vulnerabilities due to poor programming practices\n                  ii. Compromise of sensitive application data\n                 iii. Not completing security assessment and authorization\n                      requirements\n           b. Privacy standards to include directions on creating and distributing privacy\n              notices.\n           c. Development standards to identify mobile platforms to target for publicly\n              available applications.\n\n     2. Ensure that currently deployed mobile applications meet the updated standards.\n\n     3. Issue guidance and/or training related to tablet device acquisition to remind\n        acquisition personnel about requirements for brand name specifications.\n\n     4. Formally document the process for reviewing mobile devices.\n\nManagement Comments\n\nManagement agreed with our findings and recommendations. The GSA CIO\xe2\x80\x99s complete\nresponse is presented in Appendix B.\n\n\n\n\n11\n  During the audit the OSAISO provided a checklist of requirements including encryption and proper\nfunctioning in the GSA mobile device management platform for device approval.\n\n\nA130016/O/F/F13003                             5\n\x0cConclusion\nWe found that GSA is making progress in its IT strategic goal to provide enhanced\nmobile access to GSA systems and data. First, GSA fulfilled its milestone actions\nrelated to mobile devices and mobile applications under the White House's Digital\nGovernment Strategy by prioritizing two existing, major, customer-facing services for\nmodernization. Second, our evaluation of the mobile device management platform\nidentified that it enforces security controls for mobile devices in accordance with GSA\nrequirements. Third, user training on mobile devices informs users of mobile-specific\nsecurity concerns. Fourth, GSA reviews terms of service for mobile applications before\napproval for agency use.\n\nHowever, GSA can strengthen the implementation of its mobile computing initiatives by:\n\n      (1) Developing comprehensive standards for mobile application security, privacy,\n          and development;\n      (2) Ensuring that mobile applications undergo required security assessment and\n          authorizations and meet updated standards;\n      (3) Providing guidance on mobile device acquisition that sufficiently addresses\n          risks associated with brand name specifications, specifically to prevent\n          excessive expenditures and contractor protests; and\n      (4) Documenting processes to ensure continuity of GSA\xe2\x80\x99s mobile device\n          assessments to prevent knowledge loss in case of personnel disruptions.\n\nWe believe that making the improvements recommended in this report will better enable\nGSA to provide enhanced mobile access to the agency\xe2\x80\x99s systems and data.\n\n\n\n\nA130016/O/F/F13003                     6\n\x0cAppendix A \xe2\x80\x93 Purpose, Scope, and Methodology\nPurpose\n\nThis audit was performed to assess GSA\xe2\x80\x99s actions to provide enhanced mobile access\nto government systems and data. It was included in the Office of Inspector General\xe2\x80\x99s\nFiscal Year (FY) 2013 Audit Plan.\n\nScope\n\nThe audit\xe2\x80\x99s scope includes results of the Office of Inspector General\xe2\x80\x99s evaluations of the\nOCIO\xe2\x80\x99s oversight of the implementation of the GSA\xe2\x80\x99s mobile computing initiatives as it\nrelates to mobile devices and applications.\n\nMethodology\n\nTo accomplish our objectives, we:\n\n   \xef\x82\xb7    Interviewed OCIO officials implementing mobile computing initiatives associated\n        with its A3 strategy.\n   \xef\x82\xb7    Interviewed mobile application developers in the Federal Acquisition Service,\n        Office of Government-Wide Policy, Office of Citizen Services and Innovative\n        Technologies, and Office of the Chief Information Officer.\n   \xef\x82\xb7    Performed walkthroughs to verify: (1) controls to manage mobile devices in\n        GSA's mobile device management platforms and (2) controls for security testing\n        of mobile platforms.\n   \xef\x82\xb7    Reviewed applicable mobile device and application privacy, security,\n        development, and acquisition regulations, policies, and guidance.\n   \xef\x82\xb7    Reviewed GSA\xe2\x80\x99s services and staff offices\xe2\x80\x99 adherence to GSA CIO guidance on\n        mobile computing by: (a) testing deployed mobile applications for security\n        controls, privacy controls, and adherence to development standards and (b)\n        evaluating tablet computer purchases for compliance with procurement\n        regulations (e.g. Trade Agreements Act, fair opportunity, and brand name\n        purchases).\n\nWe conducted the audit between October 2012 and March 2013 in accordance with\ngenerally accepted government auditing standards. Those standards require that we\nplan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nA130016/O/F/F13003                     A-1\n\x0cInternal Controls\n\nThis audit included a review of elements of GSA\xe2\x80\x99s mobile computing initiatives, relating\nto management of mobile devices, oversight of mobile application development, and\nlimited testing of controls over acquisition of mobile tablets.       The Results and\nRecommendations sections of this report state, in detail, the need to strengthen specific\nprocesses and controls in implementation of the GSA CIO\xe2\x80\x99s mobile computing\ninitiatives.\n\n\n\n\nA130016/O/F/F13003                     A-2\n\x0cAppendix B \xe2\x80\x93 Management Comments\n\n\n\n\nA130016/O/F/F13003    B-1\n\x0cAppendix C \xe2\x80\x93 Report Distribution\n\nGSA Chief Information Officer (I)\n\nSenior Agency Information Security Officer (IS)\n\nDivision Director, GAO/IG Audit Response Division (H1C)\n\nAudit Liaison, Office of the Chief Information Officer (I)\n\nAssistant Inspector General for Auditing (JA)\n\nDeputy Assistant IG for Investigations (JID)\n\nDirector, Audit Planning, Policy, and Operations Staff (JAO)\n\n\n\n\nA130016/O/F/F13003                       C-1\n\x0c"